SpringBoot Admin安全配置

SpringBoot SpringBoot Admin 评论

之前我们讲过如何使用SpringBoot Admin监控微服务,但是这种情况下,所有的服务都会暴露给外部,一旦SBD地址泄露,那我们的服务将毫无安全可言,所以我们需要给SBD配置安全策略。Web应用的身份认证和授权方式有多种方法,Spring Boot Admin不提供默认方法。默认情况下,spring-boot-admin-server-ui提供登录页面和注销按钮,我们使用Spring Security实现安全认证。

  1. 引入Spring Security依赖

    1
    2
    3
    4
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>

  2. 在application.yml文件中配置安全认证信息

    1
    2
    3
    4
    5
    spring:
      security:
        user:
          name: <user name>
          password: <Password for user name>

  3. 创建认证策略管理类

    该类继承自WebSecurityConfigurerAdapter,具体代码如下:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
    import org.springframework.security.web.csrf.CookieCsrfTokenRepository;

    import de.codecentric.boot.admin.server.config.AdminServerProperties;

    /**
     * 安全配置类
     * 
     * @author chuan
     */
    @Configuration
    @EnableWebSecurity
    public class SecuritySecureConfig extends WebSecurityConfigurerAdapter {

        private final String adminContextPath;

        public SecuritySecureConfig(AdminServerProperties adminServerProperties) {
            this.adminContextPath = adminServerProperties.getContextPath();
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            SavedRequestAwareAuthenticationSuccessHandler handler = new SavedRequestAwareAuthenticationSuccessHandler();
            handler.setTargetUrlParameter("redirectTo");
            handler.setDefaultTargetUrl(this.adminContextPath + "/");

            // 启用HTTP-Basic支持。这是Spring Boot Admin Client注册所必需的
            http.httpBasic().and()
                    // 授予对所有静态资产和登录页面的公共访问权限
                    .authorizeRequests().antMatchers(this.adminContextPath + "/assets/**").permitAll()
                    // 授予对所有静态资产和登录页面的公共访问权限
                    .antMatchers(this.adminContextPath + "/login").permitAll().and()
                    // 所有请求都需要验证登录
                    .authorizeRequests().anyRequest().authenticated().and()
                    // 登录表单
                    .formLogin().loginPage(this.adminContextPath + "/login").successHandler(handler).and()
                    // 登出表单
                    .logout().logoutUrl(this.adminContextPath + "/logout").and().csrf()
                    //	Enables CSRF-Protection using Cookies
                    .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).ignoringAntMatchers(
                      //	将服务注册的接口暴露出去.
                      this.adminContextPath + "/instances",
                      this.adminContextPath + "/actuator/**");

            ;
        }
    }

  4. 重启服务即可

    image-20201122235722207

讲了半天如何配置server端的安全,难道客户端的安全就不重要了吗?当然不是,服务端是访问权限的控制,而客户端是操作权限的控制,这里才是安全配置的重中之重,因为服务端也仅仅是通过客户端actuator的接口实现通信的,所以将客户端的权限配置稳固,也是我们必须要做的,否则别人直接通过actuator接口调用我们的actuator/shutdown接口,服务就翘了,开发要祭天了,产品要疯了,运营要炸了。

首先我们需要将客户端的几个actuator接口暴露出来,这里我们将所有的接口全都暴露出来,就不做相关的控制了:

1
2
3
4
5
6
7
8
management:
	endpoints:
		web:
			exposure:
				include: '*'
	endpoint:
		health:
			show-details: ALWAYS

然后引入Spring Security依赖包做权限控制:

1
2
3
4
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

引入Security包了,就需要配置相关的权限,首先配置接口的访问权限:

1
2
3
4
5
spring:
	security:
		user:
			name: <actuator user>
			password: <password for actuator user>

权限开通了,那么我们就需要将权限告知SBD Server端,否则server端将会无权限访问,告知方式也是在配置文件中设置:

1
2
3
4
5
6
7
8
9
10
11
spring:
	boot:
		admin:
			client:
				url: <sbd server url>
				username: <sbd server username>
				password: <password for sbd server user>
				instance:
					metadata:
						user.name: ${spring.security.user.name}
						user.password: ${spring.security.user.password}

设置OK,启动我们的client服务, 发现服务监控成功了,但是其他的接口都访问不了了,业务跪了,这是因为我们的Security默认是拦截所有的请求,但是我们这里指需要让它拦截actuator的接口即可,业务相关的接口由业务权限系统去控制,所以我们需要单独配置一下WebSecurityConfigurerAdapter

1
2
3
4
5
6
7
8
9
10
11
12
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.httpBasic().and().authorizeRequests().antMatchers("/actuator/**").authenticated().anyRequest().permitAll();
    }
}

到这里再重新启动服务,所有的流程就都通畅了。

串一串浪人

断舍离